Data protection information for suppliers

We take the protection of personal data seriously and comply with data protection regulations, in particular the EU General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”). In particular, this means that we only process personal data if we are permitted to do so by law or if the data subject has given their consent.

In this data protection information, we explain what information (including personal data) we process in connection with the business relationship between you and us.

1. Who is responsible for data processing?

The controller responsible for the processing of personal data under data protection law is:

Fels-Werke GmbH, Geheimrat-Ebert-Str. 12, 38640 Goslar, Phone: 05321-703-0,
Fax.: 05321-703-321 , Mail: info@fels.de

Fels Vertriebs und Service GmbH & Co. KG, Geheimrat-Ebert-Str. 12, 38640 Goslar,
Phone: 05321-703-0, Fax: 05321-703-321, Mail: info@fels.de

Fels Netz GmbH, Hornberg 1, 38875 Oberharz am Brocken, OT Elbingerode,
Phone: 05321-703-0, Fax: 05321-703-321, Mail: info@fels.de

Insofar as “we” or “we” are mentioned in this data protection information, this refers in each case to the company concerned.

Our data protection officer can be reached via the above contact channels as well as at datenschutz@fels.de

2. Which principles do we observe?

The execution of our business relations requires the processing of data of our service providers/suppliers. Insofar as this data allows conclusions to be drawn about a natural person (e.g. if you enter into a business relationship with us as a sole trader), this is personal data. Irrespective of the legal form of our contractual partner, we also process data on the contact persons at our contractual partner.

Master data:

We process basic data about our contractual partner and the contact persons and the existing business relationship with our contractual partner, which we generally refer to as “master data”. This includes in particular

  1. all information that was provided to us when the business relationship was established or that we received from our contractual partner or a contact person (e.g. addresses, telephone/fax and mobile phone numbers, e-mail addresses, tax numbers, bank details); and
  2. the data that we have collected in connection with the establishment of the business relationship with us (such as, in particular, the details of the contracts concluded);

Progress data:

We process personal data that arises in the course of the business relationship, which may go beyond a mere change of master data and which we refer to as “historical data”. This includes in particular

  1. Information about the services provided or accepted by our contractual partner on the basis of the contracts concluded;
  2. Information about the services provided or accepted by us on the basis of the contracts concluded;
  3. Information provided to us by our contractual partner or a contact person in the course of the business relationship – either actively or in response to a request from us;
  4. personal data which we receive in the course of our business relationship in any other way from our contractual partner, a contact person or from third parties;

To the extent permitted by law, we may also store personal data from third parties in addition to master data and historical data. This includes, for example, data on the economic situation of our contractual partners if this is necessary to assess economic risks – such as payment defaults.

3. for what purposes and on what legal basis do we process personal data?

  1. The processing of master data and historical data is carried out for the fulfilment of existing contracts with a natural person as a contractual partner or for the implementation of pre-contractual measures on the basis of Article 6(1)(b) GDPR. Regardless of the legal form of our contractual partner, we process master and process data with reference to one or more contact persons in order to safeguard our legitimate interest in the implementation of the business relationship on the basis of Article 6 paragraph 1 f) EU GDPR.
  2. We may also process master data and historical data to fulfil legal obligations to which we are subject; this is done on the basis of Article 6(1)(c) GDPR. These legal obligations include, in particular, the reports to (tax) authorities that we are required to submit.
  3. Where necessary, we process data beyond the execution of the concluded contracts and the fulfilment of legal obligations also for the protection of our legitimate interests or the interests of third parties; this is done on the basis of Article 6 paragraph 1 f) EU GDPR. Our legitimate interests include:
    1. Group-wide processes for the internal administration of business partner data
    2. the identification of economic risks – such as payment defaults – in connection with our business relationships;
    3. the assertion of legal claims and defence in legal disputes;
    4. the prevention and investigation of criminal offences;
    5. the management and further development of our business activities, including risk management
  4. Soweit wir einer natürlichen Person die Möglichkeit zur Erteilung einer Einwilligung in die Verarbeitung personenbezogener Daten geben, verarbeiten wir die von der Einwilligung umfassten Daten für die in der Einwilligung genannten Zwecke; dies erfolgt auf Grundlage von Artikel 6 Absatz 1 a) DSGVO.

    Bitte beachten Sie, dass
    1. the granting of consent to us is voluntary;
    2. that the non-granting of a consent or its later revocation can nevertheless be connected with consequences, about which we inform before granting of the consent and
    3. that a consent given to us can be revoked at any time with effect for the future, e.g. by notification by post, fax or e-mail via one of the contact channels specified in the chapter “1. Who is responsible for data processing” of this data protection information.

4. is there an obligation to provide personal data?

The provision of the master data and historical data mentioned under #2. Prosessing of data is necessary for the establishment and implementation of the business relationship with our contractual partners, unless expressly stated otherwise by us when collecting this data. Without the provision of this data, we cannot establish and conduct a business relationship.

If we also collect personal data, we will inform you at the time of collection whether the provision of this information is required by law or contract or is necessary for the conclusion of a contract. As a rule, we identify information that is provided voluntarily and is not based on any of the aforementioned obligations or is not required for the conclusion of a contract.

5 Who receives personal data?

Personal data is always processed within our company. Depending on the type of personal data, only certain departments / organisational units have access to personal data. This includes in particular the purchasing department and – for data processed via the IT infrastructure – to a certain extent also the IT department. A role and authorization concept limits access within our company to those functions and to the extent necessary for the respective purpose of processing.

We may also transfer personal data to third parties outside our company to the extent permitted by law. These external recipients may include in particular

  1. affiliated companies within the SigmaRoc Group to which we transfer personal data for internal administrative purposes;
  2. the service providers employed by us who provide services for us on a separate contractual basis, which may also include the processing of personal data, as well as the subcontractors of our service providers engaged with our consent;
  3. non-public and public authorities, insofar as we are obliged to transfer your personal data due to legal obligations.

6. is automated decision-making used?

When establishing or in the course of the business relationship, we do not use automated decision-making (including profiling) within the meaning of Article 22 GDPR. If we use such procedures in individual cases, we will inform the persons concerned separately to the extent required by law.

7. is data transferred to countries outside the EU/EEA?

The processing of personal data takes place exclusively within the EU or the European Economic Area; a transfer to other countries (so-called “third countries”) is not planned.

8 How long is personal data stored?

We generally store personal data as long as we have a legitimate interest in this storage and the interests of the data subject in not continuing the storage do not outweigh this interest.

Even without a legitimate interest, we may continue to store the data if we are legally obliged to do so (e.g. to fulfil storage obligations). We also delete personal data without the intervention of the data subject as soon as knowledge of it is no longer necessary to fulfil the purpose of the processing or the storage is otherwise legally inadmissible.

As a rule, the master data and other personal data collected in the course of the business relationship are stored at least until the end of the business relationship. The data will be deleted at the latest when the purpose has been achieved. This may only occur after the business relationship has ended. The personal data that we have to store in order to fulfil our storage obligations will be stored until the end of the respective storage obligation. As far as we store personal data exclusively for the fulfilment of storage obligations, these are usually blocked, so that they can only be accessed if this is necessary with regard to the purpose of the storage obligation.

9. what rights does a data subject have?

A data subject has the right

  1. to information about the personal data stored about them, Article 15 GDPR;
  2. to rectification of inaccurate or incomplete data, Article 16 GDPR;
  3. to erasure of personal data, Article 17 GDPR;
  4. to restriction of processing, Article 18 GDPR;
  5. to data portability, Article 20 EU GDPR;
  6. to object to the processing of personal data concerning you, Article 21 EU GDPR;
  7. to lodge a complaint with a competent supervisory authority for data protection, Article 77 GDPR.

If you have any questions or requests for changes to the use of your personal data by us, please send them – for reasons of complete and speedy processing – exclusively in writing to: datenschutz@fels.de

We will examine your request immediately and take the necessary measures.

You can find our current privacy policy at: